Re: [dnsext] DNSSEC, robustness, and several DS records

Mark Andrews <marka@isc.org> Thu, 12 May 2011 01:28 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7E4E06F3 for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 18:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jp5ZkVbHDwzd for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 18:28:17 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 19A02E06B9 for <dnsext@ietf.org>; Wed, 11 May 2011 18:28:17 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 09A055F998D; Thu, 12 May 2011 01:28:02 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 0E102216C40; Thu, 12 May 2011 01:28:00 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 296D7EAE55F; Thu, 12 May 2011 11:28:32 +1000 (EST)
To: Francis Dupont <Francis.Dupont@fdupont.fr>
From: Mark Andrews <marka@isc.org>
References: <201105112022.p4BKMHmp010275@givry.fdupont.fr>
In-reply-to: Your message of "Wed, 11 May 2011 22:22:17 +0200." <201105112022.p4BKMHmp010275@givry.fdupont.fr>
Date: Thu, 12 May 2011 11:28:32 +1000
Message-Id: <20110512012832.296D7EAE55F@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 01:28:18 -0000

In message <201105112022.p4BKMHmp010275@givry.fdupont.fr>fr>, Francis Dupont writes:
>  In your previous mail you wrote:
> 
>    Note that the text in RFC 4509 has a SHOULD, not a MUST. The fact
>    that the BIND and Unbound people treat it as a MUST seems like a
>    bug.
>    
> => I don't understand how the SHOULD can be interpreted in order to
> avoid the "bug" (:-). Seriously you can disagree with RFC 4509
> but not about the way it has to be implemented, i.e., your concern
> is not about what it should be...
> 
> Regards
> 
> Francis.Dupont@fdupont.fr
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

Agreed.  You are either configured to follow the SHOULD or not and
the default is to fail.  Now not having a switch to turn it off
means you don't have a work around once you discover that DS is
wrong which requires contacting the administrators for the zone as
they are the only ones that can tell you whether it is wrong or you
are under attack.  You can make a educated guess without contacting
the zone administrators.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org